Unrevoke GPG Primary Key

WARNING: This section is about thinkering GPG primary key. It's black magic so you should not do it unless you know what you're doing.

For unknown reasons where you want to remove the revocation from a revoked primary key, this section would guide you through. NOTE that the proper way is to load from backup.

Un-revoke Primary Key

If you regretted revoking a primary key and you haven't distribute the revoked key to any of the key-server, you can un-revoke it. However, if you already distributed the public key out, then un-revoking the key doesn't do much effect aside from recycling the key.


Check Your Revoked Key

First, let's check your revoked key. You should have the following revoked label when you check your key with --list-keys and --list-secret-keys arguments.

$ gpg --list-keys
/home/jane/.gnupg/pubring.kbx
---------------------------------
sec   rsa4096 2018-09-23 [SC] [revoked: 2018-09-28]
      1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
uid           [ revoked] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>

$ gpg --list-secret-keys
/home/jane/.gnupg/pubring.kbx
---------------------------------
sec   rsa4096 2018-09-23 [SC] [revoked: 2018-09-28]
      1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
uid           [ revoked] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>


Export Your Public Key

Now export the public key. The command is:

$ gpg --export <key-ID> > revoked.gpg

Here's an example based on the output above:

$ gpg --export 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9 > revoked.gpg
$ ls
revoked.gpg
$


Split The Public Key

Now we split the public key. To do so, we use gpgsplit command. It will split all the keys and certs into individual files.

$ gpgsplit <public file>

Here's an example based on the output above:

$ gpgsplit revoked.gpg
$ ls
revoked.gpg
000001-006.public_key
000002-002.sig
000003-013.user_id
000004-002.sig
000005-014.public_subkey
000006-002.sig
000007-014.public_subkey
000008-002.sig

$


Look for Revoke Certificate Signature

We should look for signature file (.sig) that is the revocation certificate. Usually it's 000002-002.sig. However, just to ensure, we use gpg --list-packets <signature file> command to verify the contents.

You need to find out that the signature class is at 0x20 (sigclass 0x20). This indicates it is a revocation certificate. Based on the example above:

$ gpg --list-packets 000002-002.sig
# off=0 ctb=89 tag=2 hlen=3 plen=849
:signature packet: algo 1, keyid 9FD86FAAE50BB2F0
  version 4, created 1538140913, md5len 0, sigclass 0x20
 digest algo 8, begin of digest fb db
 hashed subpkt 33 len 21 (issuer fpr v4 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9)
 hashed subpkt 2 len 4 (sig created 2018-09-28)
 hashed subpkt 29 len 283 (revocation reason 0x01 (Proceed to use the main key with fingerprint DFE3 8497 1163 9287 E4DD  2095 D94C A965 2371 5D12\navailable at various keyservers:\n1. pgp.mit.edu (https://pgp.mit.edu/pks/lookup?op=get&search=0xD94CA96523715D12\x29\n2. pool.sks-keyservers.net\n3. keyring.debian.org\n4. keyserver.ubuntu.com))
 subpkt 16 len 8 (issuer key ID 9FD86FAAE50BB2F0)
 data: [4092 bits]

Delete the Revocation Certificate Signature

Now that you identified the signature file, delete it. Based on the example above:

$ rm 000002-002.sig
$ ls
revoked.gpg
000001-006.public_key
000003-013.user_id
000004-002.sig
000005-014.public_subkey
000006-002.sig
000007-014.public_subkey
000008-002.sig

$


Assemble the Public Key Back Again

We should reassemble the public key back to one file again. Use cat to set it back. Example:

$ cat 00000* > myfixedkey.gpg


Expertly Remove the Old Key

Now that we have a clean public key back, we need to delete the existing public key. This is an expert move so you'll need to --expert argument. Here's the command:

$ gpg --expert --delete-key <key-ID>

Based on the example above:

$ gpg --expert --delete-key 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9

You'll be asked for delete confirmation. Proceed with yes (y).


Import the Fixed Public Key

With the old public key removed, you can now import the fixed public key back.

$ gpg --import myfixedkey.gpg


Verify the Key

Now that everything is done. Verify your key again. You should see it's no longer revoked.

$ gpg --list-keys
/home/jane/.gnupg/pubring.kbx
---------------------------------
pub   rsa4096 2018-09-23 [SC]
      1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
uid           [ultimate] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
sub   rsa4096 2018-09-23 [E]
sub   rsa4096 2018-09-23 [E]
sub   rsa4096 2018-09-23 [S]

$ gpg --list-secret-keys
/home/jane/.gnupg/pubring.kbx
---------------------------------
sec   rsa4096 2018-09-23 [SC]
      1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
uid           [ultimate] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
ssb   rsa4096 2018-09-23 [E]
ssb   rsa4096 2018-09-23 [E]
ssb   rsa4096 2018-09-23 [S]


Clean Up

With everything is up and ready, now clean up your workspace.

That's all about un-revoke key in GnuPG.